Storage and retrieval of dispersed storage network access information

US 9,229,823 B2
Filed: 08/16/2012
Issued: 01/05/2016
Est. Priority Date: 08/17/2011
Status: Active Grant

First Claim

Patent Images

1. A method for execution by a computing device, the method comprises:

receiving a certificate signing request (CSR) from a user device regarding a user, wherein the CSR includes user information regarding the user;

generating a set of hidden passwords based on the user information;

accessing a set of authenticating units to obtain a set of passkeys based on the set of hidden passwords and a set of random numbers;

retrieving a set of encrypted shares based on the user information from the set of authenticating units;

decrypting the set of encrypted shares based on the set of passkeys and the set of random numbers to produce a set of encoded shares;

decoding, in accordance with a share encoding function, the set of encoded shares to recapture a private key associated with the user;

generating a user signed certificate based on the private key;

discarding the private key to substantially protect the private key from the user device; and

outputting the user signed certificate to the user device.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method begins by a dispersed storage (DS) processing module receiving a certificate signing request (CSR) from a user device. The method continues with the DS processing module generating a set of hidden passwords based on the CSR and accessing a set of authenticating units to obtain a set of passkeys. The method continues with the DS processing module retrieving a set of encrypted shares and decrypting the set of encrypted shares to produce a set of encoded shares. The method continues with the DS processing module decoding the set of encoded shares to recapture a private key and generating a user signed certificate based on the private key. The method continues with the DS processing module discarding the private key to substantially protect the private key from the user device and outputting the user signed certificate to the user device.

87 Citations

View as Search Results

12 Claims

1. A method for execution by a computing device, the method comprises:
- receiving a certificate signing request (CSR) from a user device regarding a user, wherein the CSR includes user information regarding the user;
  
  generating a set of hidden passwords based on the user information;
  
  accessing a set of authenticating units to obtain a set of passkeys based on the set of hidden passwords and a set of random numbers;
  
  retrieving a set of encrypted shares based on the user information from the set of authenticating units;
  
  decrypting the set of encrypted shares based on the set of passkeys and the set of random numbers to produce a set of encoded shares;
  
  decoding, in accordance with a share encoding function, the set of encoded shares to recapture a private key associated with the user;
  
  generating a user signed certificate based on the private key;
  
  discarding the private key to substantially protect the private key from the user device; and
  
  outputting the user signed certificate to the user device.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein accessing the set of authenticating units comprises:
    - generating the set of random numbers;
      
      generating a set of blinded passwords based on the set of hidden passwords and the set of random numbers;
      
      identifying the set of authenticating units based on the user information;
      
      outputting the set of blinded passwords to set of identified authenticating units; and
      
      receiving the set of passkeys from the set of identified authenticating units.
  - 3. The method of claim 1, wherein accessing the set of authenticating units comprises:
    - generating the set of random numbers;
      
      generating a set of blinded passwords based on the set of hidden passwords and the set of random numbers;
      
      identifying the set of authenticating units based on the user information;
      
      retrieving a set of recovered random numbers from the set of identified authenticating units; and
      
      generating the set of passkeys based on the set of blinded passwords and the set of recovered random numbers.
  - 4. The method of claim 1, wherein the decrypting the set of encrypted shares comprises:
    - generating a set of encryption keys based on the set of passkeys and the set of random numbers; and
      
      decrypting the set of encrypted shares utilizing the set of encryption keys to reproduce the set of encoded shares.
  - 5. The method of claim 1, wherein the decoding the set of encoded shares comprises at least one of:
    - decoding the set of encoded shares using a secret share function as the share encoding function; and
      
      decoding the set of encoded shares using a dispersed storage error encoding function as the share encoding function.
  - 6. The method of claim 1, wherein the generating a user signed certificate comprises:
    - generating, on behalf of the user, a certification signature based on the private key; and
      
      generating the signed certificate based on a certificate of the CSR and the certification signature such that the user device uses the signed certificate to obtain a certificate authority signed certificate from a certificate authority to access a dispersed storage network.

7. An authentication token comprises:
- memory; and
  
  a processing module, wherein the memory stores operational instructions that, when executed by the processing module, causes the processing module to;
  
  receive a certificate signing request (CSR) from a user device regarding a user, wherein the CSR includes user information regarding the user;
  
  generate a set of hidden passwords based on the user information;
  
  access a set of authenticating units to obtain a set of passkeys based on the set of hidden passwords and a set of random numbers;
  
  retrieve, from the memory, a set of encrypted shares based on the user information;
  
  decrypt the set of encrypted shares based on the set of passkeys and the set of random numbers to produce a set of encoded shares;
  
  decode, in accordance with a share encoding function, the set of encoded shares to recapture a private key associated with the user;
  
  generate a user signed certificate based on the private key;
  
  discard the private key to substantially protect the private key from the user device; and
  
  outputting the user signed certificate to the user device.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The authentication token of claim 7, wherein the processing module functions to access the set of authenticating units by:
    - generating the set of random numbers;
      
      generating a set of blinded passwords based on the set of hidden passwords and the set of random numbers;
      
      identifying the set of authenticating units based on the user information;
      
      outputting the set of blinded passwords to set of identified authenticating units; and
      
      receiving the set of passkeys from the set of identified authenticating units.
  - 9. The authentication token of claim 7, wherein the processing module functions to access the set of authenticating units by:
    - generating the set of random numbers;
      
      generating a set of blinded passwords based on the set of hidden passwords and the set of random numbers;
      
      identifying the set of authenticating units based on the user information;
      
      retrieving a set of recovered random numbers from the set of identified authenticating units; and
      
      generating the set of passkeys based on the set of blinded passwords and the set of recovered random numbers.
  - 10. The authentication token of claim 7, wherein the processing module functions to decrypt the set of encrypted shares by:
    - generating a set of encryption keys based on the set of passkeys and the set of random numbers; and
      
      decrypting the set of encrypted shares utilizing the set of encryption keys to reproduce the set of encoded shares.
  - 11. The authentication token of claim 7, wherein the processing module functions to decode the set of encoded shares by at least one of:
    - decoding the set of encoded shares using a secret share function as the share encoding function; and
      
      decoding the set of encoded shares using a dispersed storage error encoding function as the share encoding function.
  - 12. The authentication token of claim 7, wherein the processing module functions to generate a user signed certificate by:
    - generating, on behalf of the user, a certification signature based on the private key; and
      
      generating the signed certificate based on a certificate of the CSR and the certification signature such that the user device uses the signed certificate to obtain a certificate authority signed certificate from a certificate authority to access a dispersed storage network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
International Business Machines Corporation
Inventors
Resch, Jason K., Gladwin, S. Christopher, Baptist, Andrew, Shirley, Thomas Franklin Jr.
Primary Examiner(s)
Goodchild, William
Assistant Examiner(s)
Nipa, Wasika

Application Number

US13/587,277
Publication Number

US 20130046992A1
Time in Patent Office

1,237 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 11/00   Error detection; Error corr...

G06F 11/1446   Point-in-time backing up or...

G06F 11/1612   where the redundant compone...

G06F 15/17331   Distributed shared memory [...

G06F 21/00   Security arrangements for p...

G06F 2211/1028   Distributed, i.e. distribut...

G06F 3/06   Digital input from, or digi...

G06F 3/0604   Improving or facilitating a...

G06F 3/067   Distributed or networked st...

H04L 2209/16   Obfuscation or hiding, e.g....

H04L 9/00   Cryptographic mechanisms or...

H04L 9/085   Secret sharing or secret sp...

H04L 9/0863   involving passwords or one-...

H04L 9/0869   involving random numbers or...

H04L 9/0877   using additional device, e....

H04L 9/0894   Escrow, recovery or storing...

H04L 9/32   including means for verifyi...

H04L 9/321   involving a third party or ...

H04L 9/3263   involving certificates, e.g...

H04L 9/40   Network security protocols

Storage and retrieval of dispersed storage network access information

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

87 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Storage and retrieval of dispersed storage network access information

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

87 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links